Next-Generation Firewall
Configure a DNS Proxy Object
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Configure a DNS Proxy Object
Configure the firewall to act as a DNS Proxy to act as
an intermediary between DNS clients and servers.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of these:
|
Configure the firewall to act as a DNS proxy object in order to act as an intermediary between
DNS clients and servers.
- Log in to Strata Cloud Manager.
- Select ManageConfigurationNGFW and Prisma AccessDevice SettingsInterfacesDNS Proxy and select the Configuration Scope where you want to create the DNS Proxy object.Select a firewall from your Folders or select Snippets to configure the DNS Proxy object in a snippet.
- Add DNS Proxy Parameters.
- Verify that Enable is selected.
- Enter a descriptive Name.
- Verify the Location of the DNS Proxy object.The Location is based on the folder, snippet, or firewall you selected and can’t be changed. To change the Location of the DNS Proxy object, Cancel the configuration change and select the required folder, snippet, or firewall.
- Select the Inheritance Source.
- Enter the Primary and Secondary DNS IP address.
- For Interfaces, Add and select the interfaces to which the DNS Proxy object applies.See Configure Interfaces to create new interfaces if needed.
- Configure the DNS Proxy Rules.
- Add a new DNS proxy rule.
- Enter a Name for the DNS proxy rule.
- Enable Cacheable if you want the firewall to cache the resolved domain names.This setting is enabled by default.
- Enter the Domain Name to which the firewall compares FQDN queries.If a query matches one of the domains in the rule, the query is sent to one of the DNS servers you specify.
- Enter a Primary and Secondary DNS server for this specific DNS proxy rule.If no primary or secondary DNS servers are specified, then the domain is sent to the DNS servers you specified in the previous step.
- (Optional) Configure Static Entries.Configure a static entry to supply the DNS Proxy with static FQDN-to-address entries. This allows the firewall to resolve the FQDN to an IP address without sending a query to the DNS server.
- Add a static entry.
- Enter a Name for the static entry.
- Enter the IP Address you want to statically map to an FQDN.
- Enter the Fully Qualified Domain Name that you want to map the static IP address to.
- Enable caching and configure other Advanced settings for the DNS Proxy.
- For TCP Queries, Enable to enable DNS queries using TCP.
- Max Pending Requests—Enter the maximum number of concurrent, pending TCP DNS requests that the firewall will support. Range is 64-256; default is 64.This setting applies only if TCP Queries is enabled.
- Configure the UDP Queries Retries.
- Interval (sec)—The length of time (in seconds) after which another request is sent if no response has been received.Range is 1-30; default is 2.
- Attempts—The maximum number of UDP query attempts, excluding the first attempt, after which the next DNS server is queried.Range is 1-30; default is 5.
- Configure the Cache settings to enable the firewall to cache FQDN-to-address mappings that it learns.
- Enable the Cache setting.To enable this setting, you must also enable Cache for your DNS Proxy Rules if the DNS Proxy object is used for queries that the firewall generates.
- Enable TTL to limit the length of time the firewall caches DNS resolution entries for the DNS Proxy object.Enter the Interval to specify the number of seconds after which all cached entries for the DNS Proxy object are removed. After the entries are removed, new DNS requests must be resolved and cached again.
- Cache EDNS Responses—You must enable this setting if the DNS Proxy object is used for queries that the firewall generates.
- Save.
- Push Config to push your configuration changes.